<?php

require 'require.php';


// Mode : Checkid_immediate
if (isset($_GET['openid_mode']) && ($_GET['openid_mode'] == 'checkid_immediate')) {
	
// Verification Identity
	if (!(isset($_GET['openid_identity']) && ($_GET['openid_identity']))) {
		?><b>Error</b> : Your request did not contain the value "openid.identity".<?
		exit;
	}
	
	// Verification Identity Domain
	if (!(strpos($_GET['openid_identity'], str_replace('www.', '', OPENIDOO_DOMAIN)) !== FALSE)) {
		?><b>Error</b> : OpenIDOO is not authorized to verify the identity "<?=htmlentities($_GET['openid_identity'], ENT_QUOTES, 'UTF-8')?>".<?
		exit;
	}

	// Verification Return To
	if (!(isset($_GET['openid_return_to']) && ($_GET['openid_return_to']))) {
		?><b>Error</b> : Your request did not contain the value "openid.return_to".<?
		exit;
	}

	// Verification Scheme URL Return To
	$openid_return_to = parse_url($_GET['openid_return_to']);
	if (!(isset($openid_return_to['scheme']) && ($openid_return_to['scheme']) && isset($openid_return_to['host']) && ($openid_return_to['host']))) {
		?><b>Error</b> : The value "openid.return_to" is not valid ("<?=htmlentities($_GET['openid_return_to'], ENT_QUOTES, 'UTF-8')?>").<?
		exit;
	}
	
	// Verification URL Trust Root
	if (isset($_GET['openid_trust_root']) && ($_GET['openid_trust_root'])) {

		// Verification Scheme URL Trust Root
		$openid_trust_root = parse_url($_GET['openid_trust_root']);
		if (!(isset($openid_trust_root['scheme']) && ($openid_trust_root['scheme']) && isset($openid_trust_root['host']) && ($openid_trust_root['host']))) {
			?><b>Error</b> : The value "openid.trust_root" is not valid ("<?=htmlentities($_GET['openid_trust_root'], ENT_QUOTES, 'UTF-8')?>").<?
			exit;
		}

		// Verification URLs Return To and Trust Root
		if (!(strpos($openid_trust_root['host'], $openid_return_to['host']) !== FALSE)) {
			?><b>Error</b> : The "openid.trust_root" Host is different of the "openid.return_to" Host ("<?=htmlentities($openid_trust_root['host']." - ".$openid_return_to['host'], ENT_QUOTES, 'UTF-8')?>").<?
			exit;
		}
	}

	$_SESSION['openid_mode'] = $_GET['openid_mode'];
	$_SESSION['openid_identity'] = $_GET['openid_identity'];
	
	if (isset($_GET['openid_assoc_handle']) && ($_GET['openid_assoc_handle'])) {
		$_SESSION['openid_assoc_handle'] = $_GET['openid_assoc_handle'];
	}

	$_SESSION['openid_return_to'] = $_GET['openid_return_to'];
	
	if (isset($_GET['openid_trust_root']) && ($_GET['openid_trust_root'])) {
		$_SESSION['openid_trust_root'] = $_GET['openid_trust_root'];
	} else {
		$_SESSION['openid_trust_root'] = $_GET['openid_return_to'];
	}

	if (isset($_GET['openid_sreg_required']) && ($_GET['openid_sreg_required'])) {
		$_SESSION['openid_sreg_required'] = $_GET['openid_sreg_required'];
	} else {
		$_SESSION['openid_sreg_required'] = '';
	}

	if (isset($_GET['openid_sreg_optional']) && ($_GET['openid_sreg_optional'])) {
		$_SESSION['openid_sreg_optional'] = $_GET['openid_sreg_optional'];
	} else {
		$_SESSION['openid_sreg_optional'] = '';
	}

	if (isset($_GET['openid_sreg_policy_url']) && ($_GET['openid_sreg_policy_url'])) {
		$_SESSION['openid_sreg_policy_url'] = $_GET['openid_sreg_policy_url'];
	}
	
	if (!(isset($_SESSION['user_id']) && ($_SESSION['user_id']))) {
		header("Location: signin.php");
		exit;
	} else {
		header("Location: trust.php");
		exit;
	}

// Mode : Checkid_setup
} elseif (isset($_GET['openid_mode']) && ($_GET['openid_mode'] == 'checkid_setup')) {
	
	// Verification Identity
	if (!(isset($_GET['openid_identity']) && ($_GET['openid_identity']))) {
		?><b>Error</b> : Your request did not contain the value "openid.identity".<?
		exit;
	}
	
	// Verification Identity Domain
	if (!(strpos($_GET['openid_identity'], str_replace('www.', '', OPENIDOO_DOMAIN)) !== FALSE)) {
		?><b>Error</b> : OpenIDOO is not authorized to verify the identity "<?=htmlentities($_GET['openid_identity'], ENT_QUOTES, 'UTF-8')?>".<?
		exit;
	}

	// Verification Return To
	if (!(isset($_GET['openid_return_to']) && ($_GET['openid_return_to']))) {
		?><b>Error</b> : Your request did not contain the value "openid.return_to".<?
		exit;
	}

	// Verification Scheme URL Return To
	$openid_return_to = parse_url($_GET['openid_return_to']);
	if (!(isset($openid_return_to['scheme']) && ($openid_return_to['scheme']) && isset($openid_return_to['host']) && ($openid_return_to['host']))) {
		?><b>Error</b> : The value "openid.return_to" is not valid ("<?=htmlentities($_GET['openid_return_to'], ENT_QUOTES, 'UTF-8')?>").<?
		exit;
	}
	
	// Verification URL Trust Root
	if (isset($_GET['openid_trust_root']) && ($_GET['openid_trust_root'])) {

		// Verification Scheme URL Trust Root
		$openid_trust_root = parse_url($_GET['openid_trust_root']);
		if (!(isset($openid_trust_root['scheme']) && ($openid_trust_root['scheme']) && isset($openid_trust_root['host']) && ($openid_trust_root['host']))) {
			?><b>Error</b> : The value "openid.trust_root" is not valid ("<?=htmlentities($_GET['openid_trust_root'], ENT_QUOTES, 'UTF-8')?>").<?
			exit;
		}

		// Verification URLs Return To and Trust Root
		if (!(strpos($openid_trust_root['host'], $openid_return_to['host']) !== FALSE)) {
			?><b>Error</b> : The "openid.trust_root" Host is different of the "openid.return_to" Host ("<?=htmlentities($openid_trust_root['host']." - ".$openid_return_to['host'], ENT_QUOTES, 'UTF-8')?>").<?
			exit;
		}
	}

	$_SESSION['openid_mode'] = $_GET['openid_mode'];
	$_SESSION['openid_identity'] = $_GET['openid_identity'];
	
	if (isset($_GET['openid_assoc_handle']) && ($_GET['openid_assoc_handle'])) {
		$_SESSION['openid_assoc_handle'] = $_GET['openid_assoc_handle'];
	}

	$_SESSION['openid_return_to'] = $_GET['openid_return_to'];
	
	if (isset($_GET['openid_trust_root']) && ($_GET['openid_trust_root'])) {
		$_SESSION['openid_trust_root'] = $_GET['openid_trust_root'];
	} else {
		$_SESSION['openid_trust_root'] = $_GET['openid_return_to'];
	}

	if (isset($_GET['openid_sreg_required']) && ($_GET['openid_sreg_required'])) {
		$_SESSION['openid_sreg_required'] = $_GET['openid_sreg_required'];
	} else {
		$_SESSION['openid_sreg_required'] = '';
	}

	if (isset($_GET['openid_sreg_optional']) && ($_GET['openid_sreg_optional'])) {
		$_SESSION['openid_sreg_optional'] = $_GET['openid_sreg_optional'];
	} else {
		$_SESSION['openid_sreg_optional'] = '';
	}

	if (isset($_GET['openid_sreg_policy_url']) && ($_GET['openid_sreg_policy_url'])) {
		$_SESSION['openid_sreg_policy_url'] = $_GET['openid_sreg_policy_url'];
	}

	if (!(isset($_SESSION['user_id']) && ($_SESSION['user_id']))) {
		header("Location: signin.php");
		exit;
	} else {
		header("Location: trust.php");
		exit;
	}

} elseif (isset($_POST['openid_mode']) && ($_POST['openid_mode'] == 'check_authentication')) {
	
	// Verification Identity
	if (!(isset($_POST['openid_assoc_handle']) && ($_POST['openid_assoc_handle']))) {
		?><b>Error</b> : Your request did not contain the value "openid.assoc_handle".<?
		exit;
	}

	if (!(isset($_POST['openid_sig']) && ($_POST['openid_sig']))) {
		?><b>Error</b> : Your request did not contain the value "openid.sig".<?
		exit;
	}

	if (!(isset($_POST['openid_signed']) && ($_POST['openid_signed']))) {
		?><b>Error</b> : Your request did not contain the value "openid.signed".<?
		exit;
	}
	
	$_SESSION['openid_mode'] = 'id_res';
	$_SESSION['openid_identity'] = $_POST['openid_identity'];
	
	if (isset($_POST['openid_assoc_handle']) && ($_POST['openid_assoc_handle'])) {
		$_SESSION['openid_assoc_handle'] = $_POST['openid_assoc_handle'];
	}

	$_SESSION['openid_return_to'] = $_POST['openid_return_to'];
	
	if (isset($_POST['openid_trust_root']) && ($_POST['openid_trust_root'])) {
		$_SESSION['openid_trust_root'] = $_POST['openid_trust_root'];
	} else {
		$_SESSION['openid_trust_root'] = $_POST['openid_return_to'];
	}
	
	if (isset($_POST['openid_sig']) && ($_POST['openid_sig'])) {
		$_SESSION['openid_sig'] = $_POST['openid_sig'];
	} else {
		$_SESSION['openid_sig'] = $_POST['openid_sig'];
	}
	
	if (isset($_POST['openid_signed']) && ($_POST['openid_signed'])) {
		$_SESSION['openid_signed'] = $_POST['openid_signed'];
	} else {
		$_SESSION['openid_signed'] = $_POST['openid_signed'];
	}

	$link_server = mysql_connect(OPENIDOO_DB_SERVER, OPENIDOO_DB_USER, OPENIDOO_DB_PASSWORD);
	$select_db = mysql_select_db(OPENIDOO_DB_DATABASE, $link_server);

	if ((!$link_server) or (!$select_db)) {
		die('Connection failed.');
	} else {	

		if (!($sql_assoc_handle = mysql_query("SELECT assoc_handle, secret, server_name, expire FROM openidoo_associations WHERE assoc_handle='".mysql_escape_string($_POST['openid_assoc_handle'])."' AND expire > UNIX_TIMESTAMP()", $link_server))) {
			die('Query failed.');
		} else {

			if (mysql_num_rows($sql_assoc_handle) == 1) {
				$sql_secret = mysql_result($sql_assoc_handle, 0, 'secret');
				$server_name = mysql_result($sql_assoc_handle, 0, 'server_name');
				$secret = create_sig($sql_secret, $_SESSION['openid_signed'], $_SESSION);

				if (!(strpos($_SESSION['openid_trust_root'], $server_name) !== FALSE)) {
					$authentication_response = "openid.mode:id_res\n";
					$authentication_response .= "is_valid:false\n";
					$authentication_response .= "invalidate_handle:".htmlentities($_POST['openid_assoc_handle'], ENT_QUOTES, 'UTF-8');
					echo $authentication_response;
					exit;
				}

				if ($_SESSION['openid_sig'] == $secret) {
					$authentication_response = "openid.mode:id_res\n";
					$authentication_response .= "is_valid:true\n";
					echo $authentication_response;
					exit;
				} else {
					$authentication_response = "openid.mode:id_res\n";
					$authentication_response .= "is_valid:false\n";
					$authentication_response .= "invalidate_handle:".htmlentities($_POST['openid_assoc_handle'], ENT_QUOTES, 'UTF-8');
					echo $authentication_response;
					exit;
				}

			} else {
				$authentication_response = "openid.mode:id_res\n";
				$authentication_response .= "is_valid:false\n";
				$authentication_response .= "invalidate_handle:".htmlentities($_POST['openid_assoc_handle'], ENT_QUOTES, 'UTF-8');
				echo $authentication_response;
				exit;
			}

		}
	}

} elseif (isset($_POST['openid_mode']) && ($_POST['openid_mode'] == 'associate')) {

	$link_server = mysql_connect(OPENIDOO_DB_SERVER, OPENIDOO_DB_USER, OPENIDOO_DB_PASSWORD);
	$select_db = mysql_select_db(OPENIDOO_DB_DATABASE, $link_server);

	if ((!$link_server) or (!$select_db)) {
		die('Connection failed.');
	} else {

		$assoc_handle = create_assoc_handle();
		$secret = create_secret();
		$expire = time()+1209600;

		if (!mysql_query("INSERT INTO openidoo_associations (assoc_handle, secret, server_name, expire, assoc_type) VALUES ('".mysql_escape_string($assoc_handle)."', '".mysql_escape_string($secret)."', '', '".mysql_escape_string($expire)."', 'HMAC-SHA1')", $link_server)) {
			die('Query failed.');
		} else {
			header("Content-Type: text/plain");
			$associate_response = "assoc_handle:".$assoc_handle."\n";
			$associate_response .= "assoc_type:HMAC-SHA1\n";
			$associate_response .= "expires_in:1209600\n";
			$associate_response .= "mac_key:".base64_encode($secret);
			echo $associate_response;
			exit;
		}
	}

// No Mode
} else {
	header("Status: 400 Bad request", false, 400);
	?>This is an OpenID server endpoint. For more information, see http://openid.net/<?
	exit;
}

?>
